The Generic Transformation
from Standard Signatures to
Identity-Based Aggregate
Signatures
Bei Liang, Hongda Li, Jinyong Chang
Identity-Based Aggregate
Signatures
Identity-Based Aggregate
Signatures
PK
MSK
Identity-Based Aggregate
Signatures
PK
MSK
id1
Bob
id2
Alice
id3
Eve
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Sign m1
S1
Sign m2
S2
Sign m3
S3
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Sign m1
S1
Sign m2
S2
Prove that Bob, Alice
and Eve indeed sign
the message m1, m2,
m3 respectively
S1 S2 S3
Sign m3
S3
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Sign m1
S1
Sign m2
S2
Identity-Based Aggregate Signatures.
Gentry and Ramzan.
PKC 2006
Sign m3
S3
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Sign m1
S1
Sign m2
S2
Aggregator
SA
Sign m3
S3
Identity-Based Aggregate
Signatures
PK
MSK
id1 SK1
id2 SK2
id3 SK3
Bob
Alice
Eve
Sign m1
S1
Sign m2
S2
Aggregator
SA
Sign m3
S3
Identity-Based Aggregate
Signatures
IBAS [GR06]
PKC 06
IBAS (with same
common token)
[BJ10] PKC 10
Sequential IBAS.
[BGN+06] CCS 07
Unrestricted IBAS.
[HSW13] CRYPTO 13
Identity-Based Aggregate
Signatures
IBAS are restricted to:
share a common token
e.g., where a set of signatures can only be
aggregated if they were created with the same
common token
require sequential additions
e.g., where a group of signers sequentially form
an aggregate by each adding their own signature
to the aggregate-so-far
Identity-Based Aggregate
Signatures
How to achieve identity-based
aggregate signatures from
standard signatures?
Overview of our Approach
Standard
signature scheme
Universal samplers [HJK+14]
Identity-based
signature
Indistinguishability obfuscation [HKW14]
Identity-based
aggregate signature
Our Construction
Standard signature scheme
UP + iO + OWFs
Identity-based aggregate signature*
*: n-bounded IBAS, e.g. at most n signature can be aggregated.
Our Construction
Standard signature scheme
UP + iO + OWFs
Identity-based aggregate signature*
*: n-bounded IBAS, e.g. at most n signature can be aggregated.
Our Construction
Standard signature scheme
UP + iO + OWFs
Identity-based aggregate signature*
wCCA PKE
Homomorphic encryption
(puncturable) PRFs
*: n-bounded IBAS, e.g. at most n signature can be aggregated.
Our Construction
IBAS.Setup
1. HE.Setup
(pkHE, skHE), HE.Enc(pkHE,0)
cti ;
2. PKE.Setup (pk, sk), PRF key K, universal parameter U ;
3. Creat program P0, iO(P1), iO(P2) ;
4. Output public parameters PP=(pkHE, U, P0, iO(P1), iO(P2)),
master secret key msk=sk ;
r=r0||r1
P0
1. SIG.Setup(r0)
(vkSIG, skSIG),
PKE.Enc(pk, skSIG; r1)
c;
2. Output (vkSIG, c);
Our Construction
r=r0||r1
IBAS.KeyGen(sk,id)
1. InduceGen(U, P0||id)
(vkid, cid);
2. Return PKE.Dec(sk, cid)
skid;
P0
1. SIG.Setup(r0)
(vkSIG, skSIG),
PKE.Enc(pk, skSIG; r1)
2. Output (vkSIG, c);
c;
Our Construction
r=r0||r1
IBAS.KeyGen(sk,id)
1. InduceGen(U, P0||id)
(vkid, cid);
2. Return PKE.Dec(sk, cid)
skid;
IBAS.Sign(skid,m)
1. SIG.Sign(skid, m)
2. Return σ;
σ;
P0
1. SIG.Setup(r0)
(vkSIG, skSIG),
PKE.Enc(pk, skSIG; r1)
2. Output (vkSIG, c);
c;
Our Construction
IBAS.Aggregate(PP,{(idi,mi),σi}i)
1. InduceGen(U, P0||idi)
(vki, ci) ;
2. Return iO(P1)({vki,(idi,mi),σi}i) ;
{vki, (idi,mi), σi}i
P1
1. Compute t= σ1 ·ct1+ · · ·+ σn ·ctn ;
2. Compute si =F(K, vki||idi||mi||i||t) ;
3. Output σagg =(t, ⊕isi);
Our Construction
IBAS.Verify(PP,{(idi,mi)}i,σagg=(t,s))
1. InduceGen(U, P0||idi)
(vki, ci) ;
2. Return iO(P2)({vki,(idi,mi)}i, σagg );
{vki, (idi,mi)}i, σagg=(t,s)
P2
1. Compute s’=⊕iF(K, vki||idi||mi||i||t) ;
2. Output 1 if s’= s, else output 0 ;
Security Proof idea
(id*, m*)
Game-0
P=(U, P0, iO(P1), iO(P2))
(pkHE, skHE),
(pk, sk),
U, K,
ct1=HE.Enc(0),
…
ctn=HE.Enc(0) ,
P0, iO(P1), iO(P2)
id
skid
id, m
σ
(id1, m1),…, (id*,m*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
Security Proof idea
(idi*, mi*)
Game-1
P=(U, P0, iO(P1), iO(P2))
(pkHE, skHE),
(pk, sk),
U, K,
ct1=HE.Enc(0),
…
ctn=HE.Enc(0) ,
P0, iO(P1), iO(P2)
id
skid
id, m
σ
(id1, m1),…, (idi*, mi*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
Security Proof idea
(idi*, mi*)
Game-2
P=(U, P0, iO(P1), iO(P2))
(pkHE, skHE),
(pk, sk),
U, K,
ct1=HE.Enc(0),…
cti*=HE.Enc(1),…
ctn=HE.Enc(0) ,
P0, iO(P1), iO(P2)
id
skid
id, m
σ
(id1, m1),…, (idi*, mi*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
Security Proof idea
(vki*, ski*)
SIG.Setup,
ci*
PKE.Enc(ski* )
(idi*, mi*)
Game-3
P=(U, P0, iO(P1), iO(P2))
(pkHE, skHE),
(pk, sk), K,
U=SimUGen(vki*,ci*)
ct1=HE.Enc(0),…
cti*=HE.Enc(1),…
ctn=HE.Enc(0) ,
P0, iO(P1), iO(P2)
id
skid
id, m
σ
(id1, m1),…, (idi*, mi*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
Security Proof idea
vki*,
ci* PKE.Enc(1)
(idi*, mi*)
Game-4
P=(U, P0, iO(P1), iO(P2))
(pkHE, skHE),
(pk, sk), K,
U=SimUGen(vki*,ci*)
ct1=HE.Enc(0),…
cti*=HE.Enc(1),…
ctn=HE.Enc(0) ,
P0, iO(P1), iO(P2)
id
skid
id, m
σ
(id1, m1),…, (idi*, mi*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
Security Proof idea
vki*,
ci* PKE.Enc(1)
(idi*, mi*)
Game-5
P=(U, P0, iO(P*1), iO(P*2))
(pkHE, skHE),
(pk, sk), K,
U=SimUGen(vki*,ci*)
ct1=HE.Enc(0),…
cti*=HE.Enc(1),…
ctn=HE.Enc(0) ,
P0, iO(P*1), iO(P*2)
id
(mi*, HE.Dec(skHE,t*))
Unforgeability of
signature scheme
skid
id, m
σ
(id1, m1),…, (idi*, mi*),…,(idn, mn)
σ*agg
Attacker wins if:
• id*, m* not queried
• Verify({(id1, m1)}i, σ*agg)=1
© Copyright 2026 Paperzz